Acceptable Use Policy

Last updated: March 23, 2026 · ThoughtWave Technologies, Inc.

1. Purpose and Scope

This Acceptable Use Policy (“AUP”) governs use of all services provided by ThoughtWave Technologies, Inc. (“ThoughtWave,” “we,” “our,” or “us”), including virtual machines (VPS), virtual desktop infrastructure (VDI), BGP tunnel provisioning, ZFS storage, and the Stratum multi-cloud management platform (collectively, the “Services”).

This AUP is incorporated by reference into ThoughtWave's Terms of Service and applies to all customers, users, and any party using or accessing the Services directly or through a reseller. If you are a reseller or allow third parties to access resources provisioned through your account, you are responsible for ensuring those parties comply with this AUP.

ThoughtWave operates internet infrastructure and is responsible for the conduct of traffic that traverses our network. Violations of this AUP threaten the integrity of our infrastructure, harm other customers and the broader internet community, and may expose ThoughtWave and its customers to legal liability. We take AUP enforcement seriously.

2. General Prohibitions

You may not use the Services for any activity that is illegal, harmful, or abusive. The following activities are prohibited on all ThoughtWave services:

2.1 Network Attacks and Abuse

  • DDoS and DoS attacks: Launching, coordinating, facilitating, or participating in any denial-of-service (DoS) or distributed denial-of-service (DDoS) attack against any target, including ThoughtWave's own infrastructure. This includes UDP/TCP flood attacks, amplification attacks (DNS, NTP, memcached, SSDP), and reflection attacks.
  • Unauthorized scanning and probing: Conducting port scans, network reconnaissance, or vulnerability scans against third-party systems without documented written authorization from the owner or operator of the target systems. Scanning your own resources or resources for which you have explicit written authorization is permitted.
  • Botnets and command-and-control: Operating botnet infrastructure, command-and-control (C2) servers, or any system used to coordinate malicious activity against third parties.
  • IP address spoofing: Transmitting packets with forged or spoofed source IP addresses, except for legitimate use cases explicitly authorized in writing by ThoughtWave (such as ECMP testing within your own allocated prefix space).
  • Traffic interception: Intercepting, monitoring, or interfering with network traffic not destined for your own resources (ARP spoofing, MITM attacks, traffic mirroring without consent).

2.2 Malware and Malicious Content

  • Storing, hosting, distributing, or transmitting malware, ransomware, trojans, keyloggers, spyware, adware, worms, or any other malicious software.
  • Operating phishing sites, credential harvesting pages, or any infrastructure designed to deceive users into disclosing credentials, financial information, or other sensitive data.
  • Hosting exploit kits, vulnerability databases used for offensive purposes, or tooling specifically designed for unauthorized access to third-party systems.

2.3 Spam and Unsolicited Communications

  • Sending unsolicited bulk email (spam), regardless of whether the email itself is commercial in nature. This includes email sent via third-party services relayed through ThoughtWave IP space.
  • Operating open mail relays or mail proxies that permit unauthorized third parties to send email through your infrastructure.
  • Harvesting or collecting email addresses, usernames, or other personal information from third-party systems without authorization.
  • Sending bulk SMS, voice calls, or other communications in violation of applicable law (CAN-SPAM Act, TCPA, GDPR, or equivalent regulations).

2.4 Illegal Content and Activities

  • Storing, hosting, processing, or distributing any content that is illegal under applicable United States federal or state law, or under the laws of the jurisdiction in which the content is accessed.
  • Any use that violates export control laws, sanctions regulations (OFAC), or embargoes applicable to United States persons or entities.
  • Using the Services to facilitate human trafficking, illegal weapons sales, controlled substance sales, or other criminal enterprises.
  • Storing or distributing material that sexually exploits minors (CSAM) in any form. Violations will be reported to the National Center for Missing and Exploited Children (NCMEC) and relevant law enforcement immediately, without notice.

2.5 Cryptocurrency Mining

Cryptocurrency mining is prohibited on all ThoughtWave Services unless you have received explicit written authorization from ThoughtWave and are operating under a dedicated compute plan specifically designated for that purpose. Unauthorized mining consumes disproportionate CPU, memory, and network resources and degrades service quality for other customers. Accounts found to be engaged in unauthorized mining will be suspended immediately without prior notice.

2.6 Resource Abuse

  • Using the Services in a manner that disproportionately burdens shared infrastructure or interferes with the service quality experienced by other ThoughtWave customers.
  • Circumventing rate limits, resource quotas, or access controls imposed by ThoughtWave.
  • Reselling or sublicensing access to the Services without a separately executed written reseller agreement with ThoughtWave.

3. BGP-Specific Requirements

Customers using ThoughtWave's BGP tunnel provisioning service are subject to the following additional requirements, which reflect the serious responsibility that comes with routing authority over public internet address space.

3.1 IP Address Ownership and Authorization

  • You must own or hold a valid license to use all IP address prefixes you announce through ThoughtWave's network. ThoughtWave requires a signed Letter of Authorization (LOA) from the registered resource holder (ARIN, RIPE, APNIC, or equivalent RIR) before any prefix is accepted.
  • You must maintain accurate and current registration of your IP resources with the appropriate Regional Internet Registry (RIR). ThoughtWave will verify RIR records at the time of provisioning and may conduct periodic re-verification.
  • You may not announce prefixes more specific than a /24 for IPv4 or a /48 for IPv6 without ThoughtWave's prior written consent.

3.2 Route Hijacking Prohibited

Route hijacking — announcing IP address prefixes that you do not own or are not authorized to announce — is strictly prohibited. This includes announcing prefixes assigned to other organizations, announcing aggregate blocks in excess of your authorized allocation, or colluding with others to redirect traffic away from its legitimate destination. Route hijacking is a serious abuse of the BGP system and may constitute fraud. Violations will result in immediate session termination and may be reported to appropriate authorities, including the affected RIR and ARIN.

3.3 RPKI and Route Security

  • Customers are strongly encouraged to create RPKI Route Origin Authorizations (ROAs) for all prefixes announced through ThoughtWave. ThoughtWave performs RPKI origin validation and may filter RPKI-invalid routes at its discretion.
  • Customers must maintain accurate IRR (Internet Routing Registry) route and route6 objects for their announced prefixes. ThoughtWave may use IRR data to validate announcements.

3.4 NOC Contact Requirement

BGP customers must maintain a valid, monitored Network Operations Center (NOC) contact — an email address or phone number capable of receiving abuse and security notifications within a reasonable timeframe. During provisioning and for the duration of service, you must notify ThoughtWave of any changes to your NOC contact at [email protected]. ThoughtWave expects BGP customers to respond to security notifications within 4 hours and to remediate confirmed abuse within 24 hours.

3.5 Traffic Originating from Your Prefix Space

You are responsible for all traffic originating from IP addresses within your announced prefixes. If your prefix space is used as a source of DDoS attacks, spam campaigns, or other abuse — whether by you, your end-users, or unauthorized parties who have compromised your systems — ThoughtWave may filter or withdraw your announcements until the abuse is remediated.

4. Security Research and Penetration Testing

ThoughtWave recognizes that legitimate security research and authorized penetration testing are valuable activities. The following rules apply:

  • Testing your own resources: You may conduct security testing on VMs, services, and infrastructure provisioned in your own account without prior approval, provided the testing does not affect ThoughtWave infrastructure or other customers' resources.
  • Testing third-party targets: You must obtain documented written authorization from the target organization before conducting any security testing against systems outside your account. ThoughtWave may request evidence of this authorization in connection with any abuse complaint.
  • ThoughtWave infrastructure: You may not conduct security testing against ThoughtWave's own infrastructure, APIs, or management systems without prior written authorization from ThoughtWave. To report security vulnerabilities in ThoughtWave systems, contact [email protected].

5. Reporting Abuse

If you believe a ThoughtWave customer is violating this AUP or using ThoughtWave infrastructure to conduct abuse against your systems or network, please report it to us:

Email: [email protected]

Include in your report:

  • The source IP address(es) involved;
  • A description of the abusive activity;
  • Relevant log excerpts with timestamps (UTC preferred) and source/destination IPs;
  • Your contact information for follow-up.

ThoughtWave reviews all abuse reports and will respond within 24 hours for active network abuse (DDoS, scanning) and within 72 hours for other reports. We may contact the reporting party for additional information. Reports are handled confidentially.

6. Enforcement

ThoughtWave enforces this AUP at its sole discretion. Enforcement actions may include:

6.1 Immediate Suspension (No Prior Notice)

The following violations will result in immediate service suspension without prior notice, due to the serious, time-sensitive nature of the harm:

  • Active participation in a DDoS attack;
  • Spam campaigns generating significant external complaints;
  • Distribution of malware or operation of C2 infrastructure;
  • Route hijacking;
  • Storage or distribution of CSAM;
  • Any activity that poses an immediate threat to ThoughtWave infrastructure or other customers.

6.2 Warning and Remediation Period

For less severe or ambiguous violations, ThoughtWave will typically provide written notice of the violation and a reasonable remediation period (generally 24 to 72 hours) before taking further action. Failure to remediate within the specified period will result in service suspension. ThoughtWave has no obligation to provide a remediation period for repeat violations or for violations that continue after initial notice.

6.3 Account Termination

Severe or repeated AUP violations may result in permanent account termination. Terminated accounts are not eligible for refunds of prepaid fees. ThoughtWave reserves the right to decline new accounts from individuals or organizations with a history of AUP violations.

6.4 Network-Level Mitigation

In cases of active network abuse — such as a DDoS attack originating from or targeting resources in our network — ThoughtWave may implement network-level mitigations including null routing, black-hole routing, or traffic filtering to protect infrastructure and other customers. These mitigations may be applied before notice is possible and will remain in effect until the abuse is confirmed to have ceased.

6.5 Cooperation with Law Enforcement

ThoughtWave will cooperate with law enforcement and legal authorities in connection with investigations of illegal activity. We will respond to valid legal process (subpoenas, court orders, search warrants) and may be required by law to disclose account and connection information without notifying the account holder.

7. Customer Responsibility for End Users

If you provide services to third parties using ThoughtWave infrastructure — whether as a reseller, a hosting provider, or a platform operator — you are responsible for ensuring that your customers and end users comply with this AUP. You must implement reasonable controls to detect and prevent AUP violations by parties using your resources, respond promptly to abuse reports, and cooperate with ThoughtWave investigations. ThoughtWave may hold you accountable for the conduct of parties using resources allocated to your account.

8. Changes to This Policy

ThoughtWave may update this AUP from time to time to reflect changes in the threat landscape, legal requirements, or our service offerings. We will post updated versions at thoughtwave.com/legal/acceptable-use and notify customers of material changes by email. Continued use of the Services after an update constitutes your acceptance of the revised AUP.

9. Contact

Abuse reports: [email protected]
Network Operations Center: [email protected]
Security vulnerabilities: [email protected]
Legal inquiries: [email protected]
ThoughtWave Technologies, Inc. · Michigan, United States

Terms of ServicePrivacy Policy
Acceptable Use Policy — ThoughtWave Technologies | ThoughtWave Technologies